Fix fail2ban issues.
This commit is contained in:
parent
94e969abd9
commit
29c876ce83
1 changed files with 39 additions and 17 deletions
|
@ -1,45 +1,49 @@
|
|||
{ config, lib, ... }:
|
||||
|
||||
# mostly taken from https://github.com/davidak/nixos-config/blob/master/services/fail2ban.nix
|
||||
with lib;
|
||||
|
||||
mkIf (elem "fail2ban" config.machine.services) {
|
||||
let
|
||||
cfg = config.machine;
|
||||
active = name: (elem name cfg.services);
|
||||
in mkIf (elem "fail2ban" cfg.services) {
|
||||
services.fail2ban = {
|
||||
enable = true;
|
||||
jails = {
|
||||
DEFAULT = ''
|
||||
bantime = 3600
|
||||
ignoreip = 127.0.0.1
|
||||
blocktype = DROP
|
||||
logpath = /var/log/auth.log
|
||||
'';
|
||||
|
||||
ssh = ''
|
||||
enabled = true
|
||||
enabled = ${boolToString (active "openssh")}
|
||||
filter = sshd
|
||||
maxretry = 4
|
||||
action = iptables[name=SSH, port=ssh, protocol=tcp]
|
||||
'';
|
||||
sshd-ddos = ''
|
||||
enabled = true
|
||||
enabled = ${boolToString (active "openssh")}
|
||||
filter = sshd-ddos
|
||||
maxretry = 2
|
||||
maxretry = 4
|
||||
action = iptables[name=ssh, port=ssh, protocol=tcp]
|
||||
'';
|
||||
|
||||
postfix = ''
|
||||
enabled = true
|
||||
enabled = ${boolToString (active "mailserver")}
|
||||
filter = postfix
|
||||
maxretry = 3
|
||||
action = iptables[name=postfix, port=smtp, protocol=tcp]
|
||||
'';
|
||||
postfix-sasl = ''
|
||||
enabled = true
|
||||
enabled = ${boolToString (active "mailserver")}
|
||||
filter = postfix-sasl
|
||||
port = postfix,imap3,imaps,pop3,pop3s
|
||||
maxretry = 3
|
||||
action = iptables[name=postfix, port=smtp, protocol=tcp]
|
||||
'';
|
||||
postfix-ddos = ''
|
||||
enabled = true
|
||||
enabled = ${boolToString (active "mailserver")}
|
||||
filter = postfix-ddos
|
||||
maxretry = 3
|
||||
action = iptables[name=postfix, port=submission, protocol=tcp]
|
||||
|
@ -47,7 +51,7 @@ mkIf (elem "fail2ban" config.machine.services) {
|
|||
'';
|
||||
|
||||
nginx-req-limit = ''
|
||||
enabled = true
|
||||
enabled = ${boolToString (active "nginx")}
|
||||
filter = nginx-req-limit
|
||||
maxretry = 10
|
||||
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
|
||||
|
@ -57,15 +61,33 @@ mkIf (elem "fail2ban" config.machine.services) {
|
|||
};
|
||||
};
|
||||
|
||||
environment.etc."fail2ban/filter.d/postfix-ddos.conf".text = ''
|
||||
[Definition]
|
||||
failregex = lost connection after EHLO from \S+\[<HOST>\]
|
||||
'';
|
||||
environment.etc."fail2ban/filter.d/postfix-sasl.conf" = {
|
||||
enable = (active "mailserver");
|
||||
text = ''
|
||||
# Fail2Ban filter for postfix authentication failures
|
||||
[INCLUDES]
|
||||
before = common.conf
|
||||
[Definition]
|
||||
daemon = postfix/smtpd
|
||||
failregex = ^%(__prefix_line)swarning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/]*={0,2})?\s*$
|
||||
'';
|
||||
};
|
||||
|
||||
environment.etc."fail2ban/filter.d/nginx-req-limit.conf".text = ''
|
||||
[Definition]
|
||||
failregex = limiting requests, excess:.* by zone.*client: <HOST>
|
||||
'';
|
||||
environment.etc."fail2ban/filter.d/postfix-ddos.conf" = {
|
||||
enable = (active "mailserver");
|
||||
text = ''
|
||||
[Definition]
|
||||
failregex = lost connection after EHLO from \S+\[<HOST>\]
|
||||
'';
|
||||
};
|
||||
|
||||
environment.etc."fail2ban/filter.d/nginx-req-limit.conf" = {
|
||||
enable = (active "nginx");
|
||||
text = ''
|
||||
[Definition]
|
||||
failregex = limiting requests, excess:.* by zone.*client: <HOST>
|
||||
'';
|
||||
};
|
||||
|
||||
# Limit stack size to reduce memory usage
|
||||
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
|
||||
|
|
Loading…
Reference in a new issue